Impact assessment

Investigatory Powers (Amendment) Bill: impact assessment (accessible version)

Updated 26 April 2024

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/investigatory-powers-amendment-bill-impact-assessments/investigatory-powers-amendment-bill-impact-assessment-accessible-version

Impact Assessment, The Home Office

Title: Investigatory Powers (Amendment) Bill 2023

IA No: HO0476

RPC Reference No: N/A

Other departments or agencies: N/A

Date: 30 January 2024

Stage: FINAL

Intervention: Domestic

Measure: Primary legislation

Enquiries: ipareviewteam@homeoffice.gov.uk

RPC Opinion: Not Applicable

Business Impact Target: Non qualifying provision

Cost of Preferred (or more likely) Option 2 (in 2022 prices)

Net Present Social Value NPSV (£m) N/A
Business Net Present Value BNPV (£m) N/A
Net cost to business per year EANDCB (£m) N/A

What is the problem under consideration? Why is government intervention necessary?

Since the introduction of the Investigatory Powers Act 2016 (IPA 2016) there have been significant changes to the technology landscape and the nature of threats faced by the UK has continued to evolve. As a result, the Investigatory Powers (Amendment) Bill will make targeted amendments to the IPA 2016 to ensure that the intelligence agencies have the tools they need to continue to keep the country safe. The significant elements of this intervention are informed by a need to increase the agility of intelligence agencies and ultimately improve their effectiveness in addressing the threats which pose a risk to the UK’s national security.

What is the strategic objective? What are the main policy objectives and intended effects?

The strategic objective of the Bill is to keep citizens safe and secure. The policy objective is to improve the functioning of the IPA 2016 and ensure the UK’s investigatory powers framework remains fit for purpose in response to the technological advancements which have occurred since the IPA 2016 came into force. Success will be measured on an ongoing basis and through existing oversight mechanisms, including Investigatory Powers Commissioner’s Office (IPCO) reporting and inspections.

What policy options have been considered, including any alternatives to regulation?

Please justify preferred option (further details in Evidence Base)

  • Option 1: ‘Do-nothing’. To maintain the existing provisions of the IPA 2016.
  • Option 2: Use primary legislation to make targeted reforms to the IPA 2016, including on: Bulk Personal Datasets, approach to Third Party Bulk Personal Datasets, Notices Regime, Internet Connection Records, Warrantry, IPCO Functions, Communications Data and Interception. This is the government’s preferred option as it meets the strategic and policy objectives.

Main assumptions/sensitivities and economic/analytical risks                                                                                              

Discount rate (%) N/A

The main analytical risk is that the costs and benefits cannot be monetised due to an absence of available data, uncertainty, the nature of the costs and benefits, and confidentiality.

Will the policy be reviewed?

It will be reviewed.

If applicable, set review date:

05/2029

I have read the Impact Assessment and I am satisfied that, given the available evidence, it represents a reasonable view of the likely costs, benefits and impact of the leading options.

Signed by the responsible Minister: [signature]

Date: 29 January 2024                                               

Summary: Analysis & Evidence: Policy Option 2

Description:

The Investigatory Powers (Amendment) Bill will make targeted amendments to the IPA 2016, ensuring that government agencies, including the intelligence agencies, have the tools they need to continue to keep the country safe. The significant elements of this intervention are informed by a need to increase the agility and effectiveness of intelligence agencies to protect the UK’s national security in light of changes to the threat picture and technological advancements, whilst ensuring safeguards remain fit for purpose. This impact assessment outlines the economic and social impact of the above reform measures.

Full economic assessment

Year(s):

Price Base 2022
PV Base 2024
Appraisal 10
Transition 1

Estimate of Net Present Social Value NPSV (£m)

Low: N/A
High: N/A
Best: N/A

Estimate of BNPV (£m)

Best BNPV N/A
Costs, £m Transition Constant Price Ongoing Present Value Total Present Value Average/year Constant Price To Business Present Value
Low N/A N/A N/A N/A N/A
High N/A N/A N/A N/A N/A
Best Estimate N/A N/A N/A N/A N/A

Description and scale of key monetised costs by ‘main affected groups’

The costs to government and the public cannot presently be monetised due to uncertainty, data availability and their fundamental nature, though they are expected to be low.

Other key non-monetised costs by ‘main affected groups’

It is anticipated that the Notices regime amendment will incur negligible familiarisation costs to business; however, due to analytical uncertainty and confidentiality, they cannot be accurately estimated. Additional resource costs to business incurred through the Notices regime amendment will continue to be reimbursed by the government where requested by the company, as per the IPA 2016.

Benefits, £m Transition Constant Price Ongoing Present Value Total Present Value Average/year Constant Price To Business Present Value
Low N/A N/A N/A N/A N/A
High N/A N/A N/A N/A N/A
Best Estimate N/A N/A N/A N/A N/A

Description and scale of key monetised benefits by ‘main affected groups’

The benefits cannot presently be monetised due to data availability, confidentiality issues (including a necessary secrecy around the usage of investigatory powers and operational partners) and their fundamental nature.

Other key non-monetised benefits by ‘main affected groups’

The benefits include security benefits, increased public confidence in the government’s ability to handle data appropriately, time-saving efficiencies and better use of legislation due to the tightening of legislative wording and improved national security.

Business assessment (Option 2)

Direct impact on business (Equivalent Annual) £m:

Cost, £m N/A
Benefit, £m N/A
Net, £m N/A
Score for Business Impact Target (qualifying provisions only) £m: N/A
Is this measure likely to impact on trade and investment? Y

Are any of these organisations in scope?

Micro Y
Small Y
Medium Y
Large Y

What is the CO2 equivalent change in greenhouse gas emissions? (Million tonnes CO2 equivalent)

Traded: N/A
Non-Traded: N/A

People and specific impacts assessment (Option 2)

Are all relevant Specific Impacts included? N
Are there any impacts on particular groups? N

A. Strategic objective and overview

1. The 2016 Investigatory Powers Act (IPA 2016) provided the United Kingdom with a robust and proportionate oversight regime[footnote 1] which placed the investigatory powers used by public authorities and the UK Intelligence Community (UKIC) on a statutory footing. Furthermore, it enhanced the safeguards applied to the use of investigatory powers, requiring warrants for the most intrusive powers to be authorised by both the Secretary of State (or Scottish Minister in relation to Serious Crime only warrants in Scotland) and an independent Judicial Commissioner (JC).

2. The Home Secretary’s report[footnote 2] on the operation of the IPA 2016 and Lord (David) Anderson’s independent review[footnote 3] of the IPA 2016 both noted that the IPA 2016 should be updated to improve its operation, highlighting the technological and geopolitical changes which have taken place since 2016 as well as lessons learned in the seven years since the inception of IPA came into force.

3. Reform to the IPA 2016 is required to ensure that the UKIC is more effectively equipped to counter a wide range of evolving threats to the UK both now and in the future. Change is needed to effectively support a range of operational priorities, as well as serious and organised crime, and child sexual exploitation and abuse.

4. The Investigatory Powers (Amendment) Bill (the Bill) is intended to deliver a package of targeted reforms to the IPA 2016, as outlined within this Impact Assessment (IA). These reforms are designed to enable UKIC to better deal with current and future threats to national security.

5. An updated IPA should contribute towards the Home Office’s priority outcomes of reducing serious crime and reducing the risk of terrorism to the UK, its citizens, and interests overseas[footnote 4], so people can live freely and with confidence.

6. In addition, the Integrated Review Refresh (2023) noted the “growing prospect that the international security environment will further deteriorate in the coming years, with state threats increasing and diversifying in Europe and beyond”.[footnote 5] This includes to “continue developing the capabilities and necessary powers of our intelligence agencies, to support both covert and overt activity”.[footnote 6]

A.2 Background

7. The IPA 2016 sets out the statutory powers which govern the use and oversight of investigatory powers by law enforcement and the security and intelligence agencies. The IPA 2016 brought together powers for obtaining communications and communications data available to law enforcement set out in different pieces of legislation in one act of Parliament. The IPA 2016 was intended to ensure that these powers, and their attendant safeguards, were clear and proportionate. It also improved processes for authorisation and oversight, notably by requiring certain categories of warrants to be approved by independent JCs, working under an Investigatory Powers Commissioner (IPC) whose Office (IPCO) provides technical and judicial oversight of how investigatory powers are used.

8. In the IPA 2016, the government committed to a statutory review of the operation of the act within a six-month period to be undertaken between May and November 2022 (the Review). This Review was published in February 2023.[footnote 7]

9. The Review concluded that the IPA 2016 had achieved its aims of consolidating and updating existing powers relating to communications data, the interception of communications and equipment interference, and consolidation of oversight bodies. The Review also concluded that the IPA 2016 had been similarly successful in providing enhanced oversight (in the form of IPCO) and safeguards for the use of powers mandated in the IPA 2016. However, it was put forward in the review that whilst the technology-neutral approach of the IPA 2016 has “largely withstood” the technological advancements (such as the expansion of artificial intelligence and machine learning tools) since the Act has been enacted indicate the need for reform. This reform will enable UKIC and law enforcement to exercise their powers under the IPA 2016 more effectively in the work against national security threats and serious crime.

10. In January 2023, the Home Secretary appointed Lord (David) Anderson KBE KC to undertake a review of the IPA 2016 (Lord Anderson’s Report), entirely independent from the statutory review. Lord Anderson’s Report was published in June 2023 and stated:

The IPA continues to provide a solid and generally satisfactory framework for the regulation of investigatory powers. I believe that it has played a significant part in restoring trust in the UK (…) and in renewing what has aptly been called UKIC’s democratic licence to operate[footnote 8]

11. Lord Anderson noted how changes in technology as well as lessons learned since the IPA 2016’s implementation mean an update to the legislation is required. The purpose of reform, he argued, should be to afford UKIC, law enforcement agencies (LEAs), and IPCO “extra agility” while leaving central functions of the IPA 2016 intact.

12. Since the IPA 2016 came into force, there has been exceptional growth in the volume and type of data relating to people, objects, and locations across all sectors of society. Much of this data is readily accessible and exploitable by the public, the private sector, and foreign states with minimal restrictions. UKIC is currently uniquely constrained by the IPA 2016 in how it is able to utilise this data and change is needed to level the playing field, ensuring UKIC and LEAs are able to effectively confront terrorism, child sexual abuse and exploitation, and threats posed by hostile states.

13. It has also become clear that privacy-enhancing technologies are being rolled out by tech companies without a lawful access solution, thereby preventing the UK Government’s lawful access to data and undermining its ability to protect UK citizens. Following world leading UK-US Data Access Agreement entering into force in 2022, the UK is able to lawfully access the data held by US companies for the investigation, detection, prevention and prosecution of serious crime, more quickly than ever before. Advancements such as the DAA must be protected from unilateral action by tech companies, which requires an update to the IPA 2016 Notices regime to achieve. The government supports strong privacy, including the responsible use of end-to-end encryption, but it must not come at the expense of public safety. This is why we maintain that encryption services can and must be implemented in a way that maintains lawful access and does not blindfold companies from crimes like child abuse and terrorism on their platforms.

14. Based on the experiences of agencies within scope of the IPA 2016, as well as the IPC, there is also a need to update more targeted aspects of governance – such as the IPC’s functions – to improve the effectiveness of the regime.

A.3 Groups affected

  • Government departments (The Home Office, Foreign, Commonwealth and Development Office (FCDO), Ministry of Defence (MoD), Ministry of Justice (MoJ), NIO, Cabinet Office, Department of Digital, Culture, Media and Sport (DCMS), Department for Business and Trade and Department (DBT) and Department for Science, Innovation and Technology (DSIT).
  • UKIC (Security Service, Secret Intelligence Service, GCHQ)
  • LEAs (National Crime Agency (NCA), the Police, HM Revenue and Customs, wider law enforcement)
  • HM Courts and Tribunal Service
  • Crown Prosecution Service
  • HM Prison Service
  • The Scottish Government
  • The public
  • The communications industry – Telecommunications Operators.

A.4 Consultation

Within government

15. The Home Office engaged extensively across government to inform the Home Secretary’s statutory review of the IPA 2016, with the conclusions of this Review process published in February 2023.[footnote 9]

16. With regards to the reforms being taken forwards in the Bill, the Home Office consulted other government departments and operational partners. The Devolved Governments have also been consulted on the policy proposals which sit within their devolved competence.

Public consultation

17. As part of Lord Anderson’s Report into the IPA 2016 Lord Anderson issued a public call for evidence which provided an opportunity for external stakeholders to provide views on the areas where reform was being considered. The responses to this call for evidence were reflected in Lord Anderson’s Report.

18. Additionally, from 5 June 2023 to 31 July 2023, the government ran a public consultation on changes to the Notices regimes in the IPA 2016[footnote 10]. The consultation set out the government’s proposed objectives to improve the effectiveness of the current regime in response to technological changes and the risk they pose to investigatory powers, as well the increase in data being held overseas. The consultation sought input to inform potential policy and legislative proposals intended to mitigate those risks whilst still promoting technological innovation and the privacy of citizens.

19. In total, 301 responses to the consultation were received. Most of these responses were from members of the public as a result of a campaign by Open Rights Group. There were three responses from telecommunications operators, four from advocacy groups, and three from trade associations.[footnote 10]

B. Rationale for intervention

20. The IPA 2016 provided a significant step forward in terms of ensuring transparency and accountability for government agencies and public authorities who are able to utilise investigatory powers. However, given rapid technological advancements and the ever-increasing volume of data, the act has been unable to keep up with the pace of developments and tools available to criminals, terrorists, and hostile states.

21. Driven by the two reviews of the IPA 2016 published in 2023,[footnote 11] these reforms are firmly rooted within the experience of government agencies responsible for national security over the past seven years.

22. The reforms proposed in this Bill look to increase the effectiveness of UKIC and LEAs whilst maintaining the effective oversight as mandated by the IPA 2016, providing a balance between security and privacy.

23. The Bill seeks to reform the IPA 2016 in a number of ways, including:

  • Recalibrating the safeguards for datasets that are publicly or commercially available, whilst maintaining appropriate safeguards and oversight.
  • Ensuring that operational partners can make more effective use of internet connection records.
  • Reforming the Notices regime to ensure exceptional lawful access capabilities are as effective as possible.

24. For full detail on all measures included in the Bill, please see Tables 1-8 in Section D (Options Considered and Implementation).

25. All these reforms help to address the negative externality which serious crime and terrorism places on society. Both serious crime and terrorism have costs to victims, but they also have costs to society such as the fear which they can cause, restricting the ability for people to live their lives freely and with confidence.

26. In order to address the negative externality of serious crime and terrorism, policing and intelligence services forces require appropriate tools. The reforms to the IPA 2016 will help UKIC and LEAs to confront these threats in the face of geopolitical and technological change.

C. Policy objective

27. The objective of IPA 2016 reform is to improve the functioning of the Act and ensure the UK’s investigatory powers framework remains fit for purpose in response to changes in the technology landscape which have occurred since IPA 2016 came into force. More specifically, it will improve operational partners’ ability to keep the country safe by enabling them to utilise data more efficiently for investigatory purposes and for capability development, use internet connection records for the purposes of discovering serious criminal activity and ensure that cross-government data sharing is enhanced.

28. The proposed changes to the Notices regime in the IPA 2016 will increase its effectiveness as well as ensure they are futureproofed. Amendments to IPA 2016 oversight are intended to improve the function of the IPCO and warrantry process, particularly by increasing the resilience of the ‘triple lock’ – (an additional safeguard whereby the Prime Minister must approve the issue of warrants relating to members of a relevant legislature).

29. Success will be measured on an ongoing basis and through existing oversight mechanisms. Chiefly, this includes the IPCO Inspectorate which focuses on three different areas of oversight:

  • 1) use of powers by intercepting agencies (UKIC, NCA and MOD);
  • 2) other public authorities’ use of communications data; and
  • 3) the use by other public authorities of surveillance, covert human intelligence sources and property interference powers.

30. Each of the three thematic inspection areas is led by a Chief Inspector and the updates to the IPA 2016 suggested here would be within scope of their respective remit. A report is produced following every inspection and shared with the Chief Officer of the public authority as well as the Home Secretary.

D. Options considered and implementation

Option 1: Leave the current IPA regime as is ‘Do nothing’

31. Maintaining the existing provisions of the IPA 2016 would mean a continuation of the status quo. This would enable a successful regime to continue to function and is therefore not ‘high risk’. However, the limitations which negatively impact UKIC’s ability to utilise data, as well as the Notices regime, both present an operational risk which could hinder the UK’s ability to deal with serious organised crime, terrorism, child sexual abuse and state threats. These limitations are impeding UKIC’s operational effectiveness today, and with the continued, rapid rise in the generation and exploitation of data across the globe, maintaining the status quo risks UKIC falling behind the UK’s adversaries.

Option 2: Use primary legislation to reform important areas of IPA 2016, including: Bulk Personal Datasets, Third Party Bulk Personal Datasets, Notices Regime, Internet Connection Records, Warrantry, IPCO Functions, Communications Data and Interception.

32. Option 2 is the government’s preferred option as it meets the government’s objectives. Tables 1-8 clarify the specific amendments proposed for Option 2.

Bulk personal datasets

33. Bulk personal datasets (BPDs) are sets of information that include personal data relating to a number of individuals, the majority of whom are not of intelligence interest. For example, an electoral roll or telephone directory. Under the IPA 2016, retention and examination of these datasets must be authorised by way of a bulk personal dataset warrant which has been issued by a Secretary of State and approved by a JC. JCs are serving or retired UK senior judges and are appointed by the Prime Minister (PM).

Table 1: List of Option 2 amendments for Bulk Personal Datasets (Part 7 IPA)

Measure Description of Measure Intended Outcome
BPD safeguards Amend safeguards for the retention and examination of BPDs where there is low or no expectation of privacy. This will create an alternative regime within Part 7 with authorisation and safeguards appropriate for data that meets this criteria. To recalibrate safeguards based on expectation of privacy. This should enable UKIC to make better use of bulk personal datasets where individuals to whom the data relates have low or no expectation of privacy (such as public and official records or certain content derived from online video-sharing platforms). The ‘double lock’ authorisation process of Secretary of State and JC approval will be reserved for more sensitive datasets.
Warrant duration Amend section 213 to allow for the extension of the duration of a BPD warrant from 6 to 12 months. Currently BPDs need to be re-warranted every six months. BPDs are often used to support long-term strategic intelligence activities rather than short-term tactical actions. A longer duration of warrant would enable the value of the BPD to be more appropriately and accurately demonstrated. This would also provide the relevant Secretary of State with a more accurate picture of the necessity and proportionality of the continued warrant authorisation.
Warrant delegation Amend Part 7 to clarify that agency heads can delegate certain existing functions in relation to BPD warrants. Will expressly enable agency heads to delegate certain functions to another Crown servant, whilst still being accountable for decisions that are taken on their behalf. The agency heads will still be required to personally carry out functions where risks are higher (for example, duty to cease activity where a JC refuses to sign off an urgent BPD warrant and the agency head must ensure the activity ceases).

Third party bulk personal datasets

34. Third party BPD are those held by third parties and accessed in situ by UKIC which would constitute a BPD if retained by UKIC under Part 7 IPA 2016. This could include, for example, datasets owned by other government departments.

Table 2: List of Option 2 amendments for Third Party Bulk Personal Datasets

Measure Description of Measure Intended Outcome
New statutory regime Create a new regime which governs the examination of third- party bulk personal datasets in situ by UKIC. Introduce a double lock authorisation (two stage approval by Secretary of State and independent JC) for UKIC access to third party bulk personal datasets.

Notices regime

35. The IPA 2016 provides for three types of Notices: Data Retention Notices enable the retention of communication data; Technical Capability Notices compel companies to build and/or maintain technical capabilities to respond to lawful requests for data; and National Security Notices require the operator to take such specified steps as the Secretary of State considers necessary in the interests of national security. These can be imposed on telecommunications (and in some cases postal) operators and require them to undertake various actions, depending both on the type of notice and its exact contents. All Notices are approved by the Secretary of State and a JC before they can be given to an operator.

36. A telecommunications operator (TO) is defined under Section 261(10) IPA 2016 and means a person who:

  • (a) offers or provides a telecommunications service to persons in the United Kingdom, or
  • (b) controls or provides a telecommunication system which is (wholly or partly)—
    • (i) in the United Kingdom, or
    • (ii) controlled from the United Kingdom.

Table 3: List of Option 2 amendments for Notices Regime

Measure Description of Measure Intended Outcome
Optimising the notice review process. As it stands, during a review period the operator is not required to comply with the notice, so far as referred, until the Secretary of State has concluded the review. Where an operator is seeking to make changes to their services or systems that would have a detrimental effect on a current lawful access capability, this could create a capability gap during the review period.
This measure will ensure TOs do not make changes during the review period that will negatively impact existing lawful access.
Amendments will also allow existing regulations to be amended to specify the time period in which the Secretary of State must complete a review and enable JCs to issue directions in relation to a review.		 The measure will maintain the status quo through the review period, protecting public safety by ensuring that lawful access to data is maintained.
Specifying a time period and allowing JC to issue directions should ensure transparency regarding the length of the process and effective management of the overall review process.
Scope of Notices regime This measure will add greater clarity on how the IPA 2016 applies to companies with complex corporate structures in terms of where data is held or services delivered by different entities spanning the globe, including through clarifying the scope and definition of a TO. Adding greater clarity ensures that the regime remains fit for purpose, meaning that large companies are covered in their totality by the IPA 2016 and not just specific entities of them.
Notification requirements A notification requirement will be introduced, requiring relevant TOs (who will be directly informed that they were bound by the obligation by the Secretary of State) to inform HM Government if they are making changes to their products or services that would negatively impact existing lawful access capabilities. There will be no method within the notification requirement itself for the Secretary of State to intervene in any way with the decision the operator has chosen. The measure will ensure law enforcement have sufficient time to mitigate the impact of the change where possible to keep the public safe.
Renewal of Notices There is currently not a requirement for the IPC to renew the Notices once they are in place. The aim is to introduce a statutory role for the IPC within a renewal process. This renewal process would be conducted if a two-year window had passed since the notice was given, renewed or last varied. This measure would introduce an additional safeguard that will ensure Notices remain necessary and proportionate.
Extraterritorial enforcement Extend extraterritorial enforcement provisions across two IPA Notice regimes, to enhance policy options for dealing with emerging technology. This change will bring Data Retention Notices in line with Technical Capability Notices (which already have extraterritorial applicability and enforcement). The measure introduces an extraterritorial enforcement for Data Retention Notices. This ensures that Notices given to overseas telecommunication companies can be enforced should they need to be for UK security purposes. This is becoming increasingly important as more data of interest is held by overseas companies.
Overseas devices and networks Change to section 87(4) regarding communications data from overseas devices roaming in the UK on an overseas network not constituting Third Party Data and therefore TOs can retain such data. The measure brings foreign roaming data that is occurring on a UK network into data retention scope by closing a loophole in which criminals can use an overseas SIM to avoid scrutiny. Under the IPA 2016, the subject’s Communications Data is not retained by UK telecoms companies as they are not subject to an existing Data Retention Notice when using overseas devices.

Internet connection records

37. An internet connection record (ICR) is a record, comprising a number of items of communications data, of an event about the service to which a customer has connected to on the internet, such as a website or instant messaging application. It is captured by the company providing access to the internet. Where available, this data may be acquired from communications service providers (CSPs) by law enforcement and the security and intelligence agencies.

Table 4: List of Option 2 amendments for Internet Connection Records

Measure Description Intended Outcome
Enabling target detection Adding new conditions to the list of existing conditions for the use of Internet Connection Records (section 62) which will allow for target detection, enhancing the usefulness of the power without disproportionately increasing the level of intrusion. Will improve UKIC and NCA’s ability to identify previously unknown individuals, who pose a national security risk or are using the internet to commit high-harm crimes. UKIC and law enforcement can already make use of ICRs but are currently required to know the exact time and service that an individual is using if they do not know their identity, which makes it hard to undertake target detection.
The measure aims to make detection of high- impact offenders easier by removing the requirement for unequivocal knowledge about the service and time of access and instead allows these to be specified. The new conditions are limited in use to just UKIC and the NCA.

Targeted equipment interference warrantry

38. Equipment interference describes a range of techniques used by the equipment interference authorities (intelligence agencies, law enforcement and the MoD) that may be used to obtain communications, equipment data or other information from equipment. Equipment interference can be carried out either remotely or by physically interacting with the equipment. Equipment interference operations vary in complexity.

39. At the lower end of the complexity scale, an equipment interference authority may covertly download data from a subject’s mobile device when it is left unattended, or an equipment interference authority may use someone’s login credentials to gain access to data held on a computer. More complex equipment interference operations may involve exploiting existing vulnerabilities in software in order to gain control of devices or networks to remotely extract material or monitor the user of the device.

Table 5: List of Option 2 amendments for Targeted Equipment Interference (TEI) Warrantry

Measure Description of Measure Intended Outcome
Triple lock Amend section 26 and section 111 to increase resilience of the ‘triple lock’. The measure makes sure that warrants requiring the Prime Minister’s sign off can still be authorised by a chosen delegate if the PM is incapacitated or unavailable. The so-called ‘triple-lock’, three stages of approval for such applications, will still involve the Secretary of State’s decision to issue the warrant and the approval of a JC. The effect of this change is that investigations are not hindered by delays caused by the absence of the PM.
TEI authorisation delegation Extend TEI authorisation powers to NCA Deputy Director Generals (DG). Boosts the resilience of the NCA by allowing targeted equipment interference warrants to be issued by NCA Deputy DGs – ensuring that there isn’t a single point of failure if the DG is incapacitated/unavailable.
TEI warrants Amend the process for removal of subjects from a TEI warrant. This will reduce the administrative burden on secretaries of state and warrantry teams without a meaningful impact on oversight.
TEI warrants Law Enforcement Equipment Interference (EI) Delegation (Schedule 6) Clarifying the lawful authority for the delegation of the authorisation of TEI warrants. This was caused by the citation of a piece of separate legislation on law enforcement delegation that had been revoked. This corrects that citation.
Warrants in Scotland Amendments to section 102(4) to correct a drafting error regarding the Secretary of State approval of Targeted Examination Equipment Interference warrants in Scotland. Amending a drafting error to ensure Targeted Examination Equipment Interference warrants will be issuable in Scotland on national security grounds.

Investigatory Powers Commissioner’s functions

40. The role of the IPC was created in the IPA 2016 in part by merging the three existing oversight bodies into one. The IPCO was founded in September 2017 as part of the IPA 2016. The IPC, supported by the JCs, oversees the use of covert investigatory powers by public authorities, including the UK’s intelligence agencies, law enforcement agencies, police, councils, and prisons. The IPC plays a critical role in the authorisation of IPA warrants as part of the double lock process. IPCO independently reviews applications from public authorities to use the most intrusive powers authorised by the IPA 2016 and checks that all powers are used in accordance with the law.

Table 6: List of Option 2 amendments for Investigatory Powers Commissioner’s Functions

Measure Description of Measure Intended Outcome
Reporting of errors Amend definition of section 231(9) to create statutory basis for reporting relevant errors in Codes of Practice under the Regulation of Investigatory Powers Act 2000 (RIPA 2000), Regulation of Investigatory Powers (Scotland) Act 2000 (RIP(S)A 2000) and the Police Act 1997 (PA 1997), in addition to Schedule 7 IPA. This amendment will ensure that there is a clearer statutory basis for reporting errors under the RIPA 2000, RIP(S)A 2000 and PA 1997 and codes of practice relating to those Acts to the IPC. This will ensure that public authorities have clarity around their error reporting.
New statutory regime for deputy Statutory basis for appointing a deputy IPC. Placing the appointment of up to two deputies on a statutory footing. This will ensure greater resilience in the system as it will allow the IPC to delegate his powers to deputy IPCs when the IPC is unable or unavailable to carry out his functions, which will provide the wider oversight regime with continuity and resilience.
Appellate functions Ability to delegate IPC’s appellate functions to deputy IPCs and ability to delegate the section 60A IPA 2016 functions to JCs. Will permit JCs at IPCO (serving or retired members of the senior Judiciary) to carry out functions that can currently only be carried out by the IPC in relation to the authorisation of certain Communications Data requests. It will also permit the deputy IPCs to consider appeals against a decision taken by a JC.
This is particularly important for when the IPC is unable to act within the required timescale and will therefore ensure greater resilience in the system.
Prisoner telecoms restriction orders Removal of oversight of telecoms restriction orders for prisoners. Removes IPC oversight of telecoms restriction orders for prisoners – these orders are already approved by a Judge before being sent to the IPC. The IPC approval is therefore not adding anything further in respect of assurance or oversight.
IPC oversight Amend section 230 to expand the list of public authorities in relation to which the PM can direct IPC oversight. The PM has the power to ask the IPC to provide oversight of additional public authorities so far as relating to intelligence activities. This would expand the list of public authorities that this can apply to and ensure greater flexibility in responding to emerging oversight requirements.
Temporary Judicial Commissioners Enabling the ability to appoint JCs on a temporary basis. Provides additional flexibility and resilience to the IPC in exceptional circumstances. This was a critical measure in the Coronavirus Act 2020 that ensured warrantry could continue to function during the pandemic.
Freedom of Information Categorising JCs as a security body under the Freedom of Information Act 2000 (FOIA 2000). Ensures that sensitive information does not have to be released under the FOIA 2000[footnote 12], which is in line with other public authorities that handle sensitive information, such as the intelligence agencies.
MoD and covert human intelligence sources (CHIS) Placing the IPC’s oversight of compliance by the MoD with policies governing the use of surveillance and the use and conduct of CHIS outside the United Kingdom, on a statutory footing; (section 229) Provides IPCO oversight of MoD’s use of CHIS overseas to improve transparency and accountability.
Reporting of TO personal data breaches to the ICO and IPC) Repeals reg. 5A(9) of the Privacy and Electronic Communications Regulations 2003 (PECR), which currently prevents TOs from reporting certain personal data breaches to the ICO; Imposes an obligation in the IPA for TOs to report personal data breaches to the IPC, where a statutory restriction prevents them from reporting such breaches to the ICO; Creates a power in the IPA for the IPC to notify an individual who has been subject to a serious personal data breach of the breach and any right to they might have to seek a remedy (s.235A) IPA. Ensures there is clarity for TOs around reporting certain personal data breaches to the ICO by repealing a statutory block that would have prevented such personal data breaches being reported to the ICO. Where there is a statutory restriction, such breaches will be reported to the IPC instead. This measure will enable the IPC to notify individuals affected by a personal data breach by a TO:
- (a) , if (following a referral by a JC to the ICO) the ICO considers the breach to be serious and notifies the IPC of this; and
- (b)   if the IPC subsequently determines it is in the public interest to do so.

Communications data

41. Communications data (CD) is the ‘who’, ‘where’, ‘when’ and ‘how’ of a communication but not its content. It enables the identification of the caller, user, sender or recipient of a phone call, text message, internet application or email (together with other metadata), but not what was said or written.

42. The IPA 2016 definition of communications data is made up of “Entity data” (for example, phone numbers or other identifiers linked to customer accounts) and “Events data” (for example, the fact that someone has sent or received an email, phone call, text or social media message/ the location of a person when they have made a mobile call or used a Wi-Fi hotspot).

Table 7: List of Option 2 amendments for Communications Data

Measure Description of Measure Intended Outcome
Definition of ‘lawful authority’ Add to section 11 a definition of ‘lawful authority’ and ensure that cross- government data sharing is not inhibited by the current regime. There is currently no definition of ‘lawful authority’ in respect of communications data acquisition in the IPA 2016. This will reduce the legal risk to public authorities of inadvertently committing a section 11 offence by defining ‘lawful authority’ (including a non- exhaustive list of examples). This measure will also end the unintended consequence of the IPA 2016 that currently prevents cross- government data sharing. For example, it would allow data to be shared between government departments without an IPA 2016 authorisation to authenticate citizens wanting to access public services such as benefits system, passports, and licenses.
Definition of ‘communications data’ Amendment to section 261 the definition of Communications Data to remove ambiguity by clarifying that subscriber data and account data falls within the scope of “communications data”, rather than potentially being within the meaning of “content”. This will have the effect of reducing errors and increasing efficiencies. Ending the unintended consequence of the IPA 2016 that creates ambiguity on the acquisition of subscriber data where it is transmitted as content data (for example. As part of an online form). The measure will clarify that the definition of “entity data” includes what is known as ‘subscriber data’, giving law enforcement greater reassurance as they acquire this type of data frequently.
Subscriber data refers to any data, information or other content provided to a service provider by an individual subscribed to that service (for example to set up an account). This is aligned to the definition of entity data in the IPA 2016 (section 261 (3))[footnote 13].
Disclosure powers Amend section 12 which restricted specific disclosure powers, reinstating general information gathering powers for bodies with lawfully established and recognised regulatory, supervisory, or civil recovery functions. Section 12 of the IPA 2016 restricts the use of general information gathering powers to obtain communications data through a route other than the IPA 2016. Changes will ensure that there is a clear and unambiguous carve out for civil investigations to obtain data which could be communications data where there are appropriate vires. This will enable public authorities to obtain communications data in support of their statutory functions where these do not meet the statutory purposes of the IPA 2016 (for example, during civil investigations or for a regulatory purpose).

Interception

43. Interception is the process that makes the content of a communication available to someone other than the sender or recipient. This could include listening to telephone calls or opening and reading the contents of a person’s letters or emails.

Table 8: List of Option 2 amendments for Interception

Measure Description of Measure Intended Outcome
Schedule 3 Minor changes to Schedule 3 (exceptions to section 56 which excludes certain matters from legal proceedings) Ensure alignment across the UK to allow intercepted material to be used by Coroners in Northern Ireland and Scotland as is already the case for Coroners in England and Wales.
In addition, changes will also enable intercepted material to be used in parole hearings in England and Wales (mirroring existing provisions for Northern Ireland).

Bulk Equipment Interference

44. Bulk equipment interference includes methods involving interference with multiple computers and devices. This could include implanting software into devices for the purpose of data retrieval to locate potential targets of interest. Only the intelligence agencies have the power, under IPA 2016, to undertake equipment interference in bulk and it is reserved for activity with a foreign focus.

Table 9: List of Option 2 amendments for Bulk Equipment Interference

Measure Description of Measure Intended Outcome
Journalistic safeguards Introducing prior independent authorisation by the IPC before material obtained using bulk equipment interference (Part 6, Chapter 3) can be searched in order to find confidential journalistic material (CJM) or find and identify sources of journalistic information (SJM). Prior approval will also be necessary if that material is searched in a way that makes it highly likely to identify or find journalist material or sources.
Approval is also required for the retention of journalistic material for purposes other than destruction.		 Currently, Section 195 only requires that the IPC be informed when a communication containing CJM or SJM, following its examination, is retained for any purpose other than its destruction.
By introducing prior independent authorisation by the IPC, the measure will therefore provide increased protection for CJM and SJM. It will also ensure alignment with the IPA 2016’s bulk interception regime (Part 6, Chapter 1), the journalistic safeguards of which are also being amended in the same way through the IPA 2016 (Remedial) Order 2023. These changes to bulk interception are necessary to comply with a judgment from the European Court of Human Rights (Big Brother Watch v UK).
The corresponding changes to the bulk equipment interference regime are being made as a matter of policy to make the two regimes consistent.

E. Appraisal

Limitations with the Analysis

44. There are a number of common issues and limitations with the analysis in the IA and these challenges mean that producing monetised and measurable costs and benefits is not possible. This is for a number of reasons including a lack of available data, the necessary secrecy around the usage of IPA 2016 powers and the secrecy around the intercepting agency employment figures.

45. Data is a major issue across the IA, with an absence of public data about the specific powers which means that assessing the way that powers are used, and frequency of use is not possible. This data, which is recorded in warrants, is not publicly available, making it difficult to assess the usage and utility of IPA 2016 powers, therefore limiting examination of the benefits and of the potential cost of expanding usage.

46. The covert nature of IPA 2016 powers is another major limitation as it means the details around the use of IPA 2016 powers cannot be revealed. This is to preserve their utility and meaning that adversaries such as terrorist or serious organised crime actors cannot leverage advantage from knowing details about the scale and circumstances of the use of IPA powers. This secrecy means that costs relating to many amendments cannot be shared in the public domain. This relates to amendments across the IA including Notices, Warrantry and Internet Connection Records.

47. This confidentiality means that the number and nature of TO staff which are involved in the disclosure of information to intercepting agencies is unable to be estimated meaning that the possible familiarisation cost and other costs for businesses involved in IPA 2016 activities cannot be estimated.

48. Secrecy around the nature of intercepting agencies’ capabilities is another limitation of the IA. As with the secrecy of IPA 2016 powers, this is appropriate as it would be inappropriate to reveal important tradecraft or details of staff numbers within the intercepting agencies, particularly those in UKIC. This means that assessing the cost to intercepting agencies for training new staff or upskilling current staff cannot be estimated as the number and nature of the roles which UKIC staff do is classified.

49. All of these limitations mean that this IA is unable to include monetised costs or benefits and therefore assessment of the NPSV and BNPV is impossible.

Overarching Costs

50. These costs are present across multiple amendments and have been summarised and group together to avoid repetition and increase conciseness.

Familiarisation costs

51. Familiarisation costs refer to any costs regarding how staff in telecommunications operators and public sector agencies understand changes in new processes relating to changes in legislation. These changes include reading new guidance and updated documentation, becoming comfortable with what the new processes are and how they adjust to using new datasets. Thus, familiarisation costs will be an unavoidable cost of reforming the IPA 2016. In each case it could be measured as the value of the time a worker spends familiarising with the new scheme, adjusted for the number of works.

52. The amendments have been grouped together as familiarisation costs would be a cost to a variety of stakeholders, from business to IPCO and UKIC. Due to data issues and other limitations, it is not appropriate to comment on the number of staff who would be required to undertake training and familiarisation, meaning an estimate for the familiarisation cost is unable to be calculated.

53. The Notices regime amendments are ones which attracted a degree of concern from some organisations on the perceived opportunity cost to business.

54. For the amendments in the Notices regime, the amount of guidance needed to be read has been estimated to be three pages, which using a reading time calculator[footnote 14] takes between 0.05 hours (three minutes) and 0.17 hours (10 minutes) with a central estimate of 0.1 hour (six minutes). If all amendments had the same amount of guidance, the expected time in total would be one hour. This cost has not been monetised for the reasons set out in paragraphs 44-49.

55. Familiarisation cost is present across most of the amendments of the IPA 2016. It applies to the following measures summarised in Table 10 below.

Table 10: Measures with familiarisation costs

Measure Area
BPD safeguards BPD
New statutory regime Third Party BPD
Notification requirements Notices Regime
Overseas devices and networks Notices Regime
Enabling target detection ICRs
Triple lock TEI Warrantry
TEI authorisation delegation TEI Warrantry
Law Enforcement TEI Delegation (Schedule 6). TEI Warrantry
Reporting of errors IPC Functions
Definition of ‘lawful authority’ Communications Data
Definition of ‘communications data’ Communications Data
Disclosure powers Communications Data

Public privacy

56. The nature of the IPA 2016 is that enforced powers have an impact upon public privacy. However, we are clear that this is proportionate to the risk, and note that only seven per cent of individuals believe the government has restricted personal freedoms too much[footnote 15].

57. YouGov survey results[footnote 16] show that 31 per cent of individuals agree that the security forces should be given more investigative powers to combat terrorism, even if this means that privacy or human rights of ordinary people suffers. Therefore, the expected cost of public loss of privacy of data is expected to be low. It cannot be monetised due to its unquantifiable nature.

58. This cost to public privacy is present across the following measures in Table 11 below.

Table 11: Measures with public privacy costs

Measure Area
BPD safeguards BPD
Enabling target detection ICRs

Increased resource cost

59. Within the IPA reform, there will be some increases in resource cost (such as increases in staff). This will affect intercepting agencies, TOs and IPCO.

60. For intercepting agencies these costs will be borne by government. This is the cost of intercepting agencies having increased access to data, with an example being easier access to bulk personal datasets. However, there is a resource cost associated with these increased powers, which is in the form of additional police and intercepting agencies staff to follow up the leads that would have previously failed to be available to them.

61. There are increased resource costs to TO’s from some of the amendments, particularly in the Notices regime amendments. These costs are from where changes to the legislation requires TOs to change their current activity and increase resource to ensure compliance or to engage with changes to the IPA.

62. All costs to TOs are currently reimbursed by the Government and therefore these are costs to HMG. The cost since 2016 of these reimbursements for all Communications Data requests was £124 million. This cost covers reimbursement for firms due to costs borne by TOs due to the IPA as well as the costs of specific requests that are made to TOs for specific communications data products. This gives a sense of scale of the possible costs.

63. There are increased resource costs to IPCO from many of the amendments. These costs are from where changes to the legislation requires IPCO to change their current activity and increase resource to ensure the correct oversight or to engage with changes to the IPA 2016. This cost is likely to be borne in the form of increase staff costs for IPCO as their role expands and new regimes come under IPCO’s purview.

64. The cost of this increased resource to government, TO’s and IPCO cannot be estimated due to the current level of resource being allocated to IPA related activities being unknown, and classified in the case of some intercepting agencies, as covered in paragraphs 44-49.This cost to the government from increased resources is present in the following measures in Table 12 below.

Table 12: Measures with increased resource costs for intercepting agencies, TOs and IPCO

Measure Area Who?
Extraterritorial enforcement Notices Regime Intercepting agencies
Enabling target detection ICRs Intercepting agencies
Schedule 3 Interception Intercepting agencies
Notification requirements Notices Regime TOs
Overseas devices and networks Notices Regime TOs
Enabling target detection ICRs TOs
New statutory regime Third Party BPD IPCO
Renewal of Notices Notices Regime IPCO
New statutory regime for deputy IPC Functions IPCO

Resource to update Codes of Practice

65. All of the amendments to the IPA will incur increased resource costs as a result of required updates to the Codes of Practice to fit with the changes to the legislation. These Codes of Practice are published by the Home Office and set out processes and safeguards for a number of investigatory powers. It is not possible to monetise this cost since there is no data available regarding how long these updates will take or how many people will be required to work on the updates. All of the amendments to the IPA, summarised in Tables 1-8, will incur increased resource costs. These costs will be borne by government.

Benefits

Overarching Benefits

66. These benefits are present across multiple amendments.

Public security benefits

67. The introduction of the IPA 2016 provided a new framework to govern the use and oversight of investigatory powers by law enforcement and security and intelligence agencies. The aims of the act include, but are not restricted to, aiding counter-terrorism efforts, addressing serious organised crime, and having the ability to investigate subjects of interest.

68. In supporting counter-terrorism efforts, the IPA 2016 and amendments within this IA aim to reduce the risk of a terrorist attack. The Home Office estimates the direct economic cost of the five terrorist attacks that took place in the UK in 2017 to be £181.1 million (2022 Prices). Although the estimates are specific to the 2017 attacks, and do not represent an average cost of terrorism, the figures do show that terrorist attacks generally have a large cost, and thus emphasise the need for a focus on security.

69. The IPA 2016 and amendments within this IA also aim to reduce the scale and costs of organised crime. To help demonstrate the social and economic costs of organised crime to the UK, the Home Office published a research report estimating that the cost of organised crime is at least £44.31 billion a year[footnote 17]. The IPA 2016 and amendments within this IA also aim to reduce the scale and costs of child sexual abuse (CSA). The Home Office estimates that one year of CSA costs £11.46 billion adjusted for 2022 prices[footnote 18]. These figures show that organised crime has a huge social and economic cost to the UK and thus emphasises the importance of investigatory powers detailed in the IPA 2016 and this IA.

70. This security benefit is present across a number of measures summarised in Table 13 below.

Table 13: Measures with security benefits

Measure Area
BPD safeguards BPD
Warrant duration BPD
Strengthening the notice review process Notices Regime
Scope of the regime Notices Regime
Notification requirements Notices Regime
Extraterritorial enforcement Notices Regime
Overseas devices and network Notices Regime
Enabling target detection ICRs
Triple lock TEI Warrantry
TEI authorisation delegation TEI Warrantry
TEI warrants TEI Warrantry
Warrants in Scotland. TEI Warrantry
Appellate functions IPC Functions
Temporary Judicial Commissioners IPC Functions
Definition of ‘lawful authority’ Communications Data
Definition of ‘communications data’ Communications Data
Schedule 3 Interception

Increased public confidence in Government’s ability to handle data

71. The measures imposed by the IPA 2016 have the ability to impact public confidence with regards to how the government handles protected data. It is likely to increase, particularly given the increased safeguards put in place and the publics generally positive views of the intercepting agencies. Public confidence cannot be monetised due to its unquantifiable nature.

72. Although not specific to the IPA 2016, polls available on YouGov suggest that opposition to the IPA 2016 and amendments is likely to be low as only a small proportion of responders believe the government has restricted personal freedom too much and measures should be relaxed with only seven per cent of responders sharing this belief[footnote 19]. It suggests 45 per cent would want stricter measures with 32 per cent being content with the current balance according to the survey from 2019.

73. This is an increase from 2013, where just 31 per cent shared belief that the government needed more powers[footnote 20]. This shows a general public understanding of the balance around interception and use of data.

74. This benefit to public confidence in government’s ability to handle data is present across a number of measures summarised in Table 14 below.

Table 14: Measures with public confidence benefits in government’s ability to handle data

Measure Area
Warrant duration BPD
New statutory regime Third Party BPD
Renewal of Notices Notices Regime
Triple lock TEI Warrantry
TEI warrants TEI Warrantry
Warrants in Scotland TEI Warrantry
Freedom of Information IPC Functions
MoD and CHIS IPC Functions
Reporting of TO personal data breaches to the ICO and IPC IPC Functions
Definition of ‘lawful authority’ Communications Data
Definition of ‘communications data’ Communications Data
Schedule 3 Interception
Journalistic Safeguards Bulk Equipment Interference

Specific Benefits

Time-saving efficiencies

75. Many of the amendments to the IPA will result in time-savings for IPCO, UKIC and TO staff. It is not possible to monetise these benefits, because it would not be appropriate to indicate the number of UKIC, IPCO and TO staff involved in the processes of the IPA. This time-saving benefit is present across a number of measures summarised in Table 15 below.

Table 15: Measures with time-saving efficiency benefits

Measure Area Beneficiary
BPD safeguards BPD UKIC analysts – by reducing the time required to action BPD tasks and by allowing the use of machine learning
Warrant duration BPD Warrant teams – freeing resource for those involved with “double-lock” sign-off process to work on other operational priorities
Warrant delegation BPD Agency heads - will gain time through being able to delegate functions
Scope of the regime Notices Regime Home Office – will gain time through increased clarity of who is or is not in scope
TEI authorisation delegation TEI Warrantry NCA DG – will gain time through being able to delegate functions
TEI warrants TEI Warrantry Secretary of State and administrative staff time – will gain time through reductions in the time taken to complete the process
Reporting of errors IPC Functions IPCO and those reporting errors – will gain time through a standard reporting function
New statutory regime for deputy IPC Functions IPC – will gain time through being able to delegate functions
Appellate functions IPC Functions IPCO – will gain time through being able to delegate functions
Prisoner telecoms restriction orders IPC Functions IPCO – will gain time through no longer having oversight
IPCO oversight IPC Functions Relevant public authorities – will gain increased clarity on IPCO oversight
Definition of ‘communications data’ Communications Data Telecommunications operators, users of CD, IPCO, Office for Communications Data Authorisations – all will gain clarity on the scope of operations

Machine learning

76. It is expected that the first bulk personal dataset reform amendment will enable the development of more dynamic and effective machine learning capabilities, which will allow vital and finite analytical resources to be focussed more effectively, in support of key intelligence outcomes. Machine learning is likely to result in security benefits which cannot be quantified nor monetised. Lord Anderson’s independent review details case studies which are applicable to the benefit of enabled machine learning.

77. A Case study from Lord Anderson’s report demonstrating the potential value of machine learning in reducing the time to search datasets for CSA material by 95 per cent[footnote 21]. This benefit applies only to the following measure summarised in Table 16 below.

Table 16: Measures with machine learning benefits

Measure Area
BPD safeguards BPD

78. It is expected that some amendments will have a benefit of reduced legal cost to business or public authorities.

79. In the case of improvements to the Notices regime, it is expected that there will be fewer reviews of Notices due to the notification requirement facilitating early engagement between operators and government, allowing necessary and appropriate steps to be taken in good time to ensure any negative impacts on investigatory powers are fully considered, and therefore a reduced legal cost to business. If a review is required, clarification regarding the length of time in which a review must be completed within will ensure the process does not extend indefinitely, which should also result in reduced legal costs. It is not possible to monetise this benefit as it is not possible to reveal or estimate the number of firms under notice and those entering the review process.

80. In the case of communications data, it is expected there will be a reduction of potential legal costs to public authorities, since the risk of committing the offence of obtaining communications data without lawful authority will be lowered following greater clarification. It is difficult to quantify this since the data available regarding section 11 offences of obtaining communications data without a lawful authority has 134 errors but none of these errors fall under serious errors, meaning it is impossible to understand the harm caused.

81. This benefit applies only to the following measures summarised in Table 17 below.

Measure Area Beneficiary
Definition of ‘lawful authority’ Communications Data Public authorities
Definition of ‘communications data’ Communications Data IPCO and Public authorities

Future proofing from technological threats

82. There may be instances where measures aid future proofing by providing more robust options for dealing with other technological threats to IPA 2016 capabilities. These amendments will allow detailed examination of future technologies before they are rolled out to consumers and thereby ensuring that access to data is maintained. This benefit applies only the following measures summarised in Table 18 below.

Table 18: Measures with a benefit of future proofing from technological threats

Measure Area
Notification requirements Notices Regime
Extraterritorial enforcement Notices Regime

Enforcement of Notices when there is non-compliance

83. In the case of Notices, resilience is safeguarded by ensuring enforcement of notices where there is non-compliance within the current system. This ensuring of compliance means law enforcement will be able to continue to access data and to maintain public safety. It is not possible to monetise this benefit as it is not appropriate to reveal the number of firms under notice nor is it possible to estimate the number of firms who may be non-compliant within the current system. This benefit applies only to the following measure summarised in Table 19 below.

Table 19: Measures with a benefit of the ability to enforce Notices when there is non- compliance

Measure Area
Extraterritorial enforcement Notices Regime

Increased protection of sensitive information by IPCO

84. It is expected that the eighth amendment to IPCO functions may give the IPCO an increased ability to protect sensitive information and would assess streamline. This benefit applies only to the following measure summarised in Table 20 below.

Table 20: Measures with the benefit of increased protection of sensitive information by IPCO

Measure Area
Freedom of Information IPC Functions

Appraisal Summary

85. This analysis has considered and highlighted the unmonetised costs and benefits of the IPA 2016 reform. The analysis estimates the cost and benefit of various changes falling under categories including BPD Reform, Internet Connection Records, Communications Data, Notices, Third Party Bulk Personal Data, IPCO Functions, Warrantry and Inception.

86. Due to the unmonetisable nature of many of the costs and benefits considered, this IA has not attempted to estimate a value for total costs or benefits. Thus, it does not provide Net Present Social Value (NPSV) figure.

87. The security benefits and increased public confidence benefits of this IA align with those raised in the statutory review of the IPA 2016[footnote 22] and Lord Anderson’s independent review[footnote 23], enabling UKIC and law enforcement to exercise their powers under the act more effectively in the fight against national security threats and serious crime.

NPSV, BNPV, EANDCB

88. There is no NPSV, BNPV or EANDCB as there has been no assessment of the monetised costs or benefits of the IPA 2016. This is due to the data and confidentiality issues mentioned in the ‘Limitations of the analysis’ section above.

Value for money (VfM)

89. Due to the lack of monetised costs and benefits, assessing the value for money is difficult. However, when looking at the objectives of Options 1 and 2, Option 1 does not achieve any objectives and leads to a decrease in security for the UK. In comparison, Option 2 has clear pathways to achieve the objectives through the amendments and is assessed to have a clear variety of benefits including improvements to UK security and increasing the public’s confidence in how the intercepting agencies hold and use their data. It is for these non-monetised benefits that Option 2 is considered to be value for money.

Place-based analysis

90. The amendments being made to IPA 2016 relate to the whole of the UK and are available to support the performance of public authorities across the UK. This means that the impact of the IPA 2016 and the amendments to the IPA 2016 are not geographically confined.

Impact on small and micro-businesses (SMBs)

91. As the measures do not include a cost to business due to all costs being reimbursed 100 per cent by the government, there is no expected impact on small and micro businesses. Additionally, SMBs are unlikely to be TOs and therefore are unlikely to be affected by the IPA 2016 or the amendments.

92. Whilst there are a number of Micro (7,155), Small (710) and Medium businesses (215)[footnote 24] involved in telecommunications activity, these are unlikely to be required to make major changes as the telecoms market is highly concentrated with most telecoms customers being with 10 major firms. As these firms hold most of the communications data, these are the firms which the government and intercepting agencies are mostly interested in. This means that the burden on micro, small and medium firms will be reduced.

F. Proportionality

93. This policy has been developed in light of the significant impact and costs of terrorism and serious organised crime has on the UK, which have been highlighted in the above sections. The proposals would affect telecoms operators in the UK, intercepting agencies and IPCO. These changes will represent some new requirements through the compliance and new regulatory framework but mostly ensure the continued use of the IPA 2016. Recognition of these changes means that every effort possible has been made to analyse the impact that IPA 2016 will have on businesses and other organisations in scope. A public consultation on changes to the Notices regime has been undertaken, with 301 responses received. Respondents included members of the public, TOs, advocacy groups and trade associations. Further public consultations on the associated regulations will also be conducted prior to implementation.

94. The work is proportional to the impact of the IPA 2016 as it reflects the amount of effort that has gone into understanding the possible impacts from the proposals, and how the IPA 2016 can be shaped to mitigate the impact on TOs whilst maintaining the highest benefit for the public.

G. Risks

95. The major risk for this IA is the lack of monetisation. Without appropriate monetisation, a full assessment of the possible costs and benefits is not possible and therefore assessment of the policy remains difficult.

96. Additionally, without monetisation, it is hard to see where the burden of this cost falls, whether on to business or to government. Without showing this burden, assessing the possible cost and therefore impact on business is impossible and cannot be achieved. This could lead to an incorrect assessment of impact and therefore this remains a risk within the impact assessment.

H. Direct costs and benefits to business calculations

97. There are direct impacts to business as there are costs to business and no direct benefits to business. These impacts are unable to be monetised within this IA due to limitations around data and classifications.

I. Trade Impact

98. The amendments to the IPA 2016 are unlikely to have a significant effect on UK trade, either in affecting the ability of UK business and consumers to trade overseas or affecting the ability of overseas businesses to trade with the UK. As the proposals are specifically related to the provision of services to UK based individuals and UK nationals, they are unlikely to have an effect on the ability for UK nationals to trade overseas or on UK TOs overseas.

99. Overseas TOs will be affected by the changes to the IPA 2016 and, as with UK TOs, will be able to seek reimbursement from the UK Government for any costs incurred in complying with the IPA 2016. This means that they are unlikely to suffer any competitive disadvantage compared to UK firms as they will also be able to recoup any burdens placed on them. Overseas TOs are required to comply with the IPA 2016 currently – these amendments do not introduce new powers but seeks to improve the efficacy of the current notice regime. Within the Notices consultation one major company mentioned that it may seek to restrict or remove features for UK-based consumers rather than comply with the IPA 2016[footnote 25]. This would affect the choice UK consumers face, potentially leaving them disadvantaged compared to consumers abroad who will have full access to all these features.

J. Monitoring and evaluation plan

100. The application of the legislation will be scrutinised on an ongoing basis by the IPC and their Office. The Intelligence Security Committee of Parliament will continue to oversee the activities of the security and intelligence agencies, including their exercise of investigatory powers.

101. A post-implementation review will be undertaken within five years of the legislation securing Royal Assent. By this point the measures will be fully implemented and operational, and stakeholders will have had the opportunity to provide feedback on the legislation’s efficacy.

Impact Assessment Checklist

Mandatory specific impact test - Statutory Equalities Duties Complete
Statutory Equalities Duties

The public sector equality duty requires public bodies to have due regard to the need to eliminate discrimination, advance equality of opportunity, and foster good relations in the course of developing policies and delivering services. Equality Duty Toolkit.
An equality impact assessment has been conducted on the Bill. It found that the Bill is compliant, where relevant, with Section 149 of the Equality Act 2010 and that due regard has been made to the need to: eliminate unlawful discrimination; advance equality of opportunity; and foster good relations.

The SRO has agreed these summary findings.		 Yes

The impact assessment checklist provides a comprehensive list of specific impact tests and policy considerations (as of February 2021). Where an element of the checklist is relevant to the policy, the appropriate advice or guidance should be followed. Where an element of the checklist is not applied, consider whether the reasons for this decision should be recorded as part of the impact assessment and reference the relevant page number or annex in the checklist below. Any test not applied can be deleted except the Equality Statement, where the policy lead must provide a paragraph of summary information on this.

The checklist should be used in addition to HM Treasury’s Green Book guidance on appraisal and evaluation in central government (Green Book, 2020).

The Home Office requires the Specific Impact Test on the Equality Statement to have a summary paragraph, stating the main points. You cannot delete this and it MUST be completed.

Economic Impact Tests

If these apply, insert a summary paragraph

Does your policy option/proposal consider…? Yes/No (page)
Business Impact Target
The Small Business, Enterprise and Employment Act 2015 (s. 21-23) creates a requirement to assess the economic impacts of qualifying regulatory provisions on the activities of business and civil society organisations. [Better Regulation Framework Manual] or
[Check with the Home Office Better Regulation Unit]		 No
Review clauses
The Small Business, Enterprise and Employment Act 2015 (s. 28) creates a duty to include a review clause in secondary legislation containing regulations that impact business or civil society organisations. [Check with the Home Office Better Regulation Unit]		 No
Small and Micro-business Assessment (SaMBA)
The SaMBA is a Better Regulation requirement intended to ensure that all new regulatory proposals are designed and implemented so as to mitigate disproportionate burdens. The SaMBA must be applied to all domestic measures that regulate business and civil society organisations, unless they qualify for the fast track. [Better Regulation Framework Manual] or [Check with the Home Office Better Regulation Unit]		 Yes
Clarity of legislation
Introducing new legislation provides an opportunity to improve the clarity of existing legislation. Legislation with multiple amendments should be consolidated, and redundant legislation removed, where it is proportionate to do so.		 Yes
Primary Authority
Any new Government legislation which is to be enforced by local authorities will need to demonstrate consideration for the inclusion of Primary Authority, and give a rationale for any exclusion, in order to obtain Cabinet Committee clearance. [Primary Authority: A Guide for Officials]		 No
New Burdens Doctrine
The new burdens doctrine is part of a suite of measures to ensure Council Tax payers do not face excessive increases. It requires all Whitehall departments to justify why new duties, powers, targets and other bureaucratic burdens should be placed on local authorities, as well as how much these policies and initiatives will cost and where the money will come from to pay for them. [New burdens doctrine: guidance for government departments]		 No
Competition
The Competition guidance provides an overview of when and how policymakers can consider the competition implications of their proposals, including understanding whether a detailed competition assessment is necessary. [Government In Markets Guidance]		 No

Social Impact Tests

New Criminal Offence Proposals
Proposed new criminal offences will need to be agreed with the Ministry of Justice (MOJ) at an early stage. The Justice Impact Test (see below) should be completed for all such proposals and agreement reached with MOJ before writing to Home Affairs Committee (HAC) for clearance. Please allow 3-4 weeks for your proposals to be considered.		 No
Justice Impact Test
The justice impact test is a mandatory specific impact test, as part of the impact assessment process that considers the impact of government policy and legislative proposals on the justice system. [Justice Impact Test Guidance]		 No
Privacy Impacts
A Privacy Impact Assessment supports an assessment of the privacy risks to individuals in the collection, use and disclosure of information. Privacy Impact Assessment or [Contact the Corporate Security Information Assurance Team Helpline on 020 7035 4969]		 No
Family Test
The objective of the test is to introduce a family perspective to the policy making process. It will ensure that policy makers recognise and make explicit the potential impacts on family relationships in the process of developing and agreeing new policy. [Family Test Guidance]		 No
Powers of Entry
A Home Office-led gateway has been set up to consider proposals for new powers of entry, to prevent the creation of needless powers, reduce unnecessary intrusion into people’s homes and to minimise disruption to businesses. [Powers of Entry Guidance]		 No
Health Impact Assessment of Government Policy
The Health Impact Assessment is a means of developing better, evidenced-based policy by careful consideration of the impact on the health of the population. [Health Impact Assessment Guidance]		 No

Environmental Impact Tests

Environmental Impacts
The purpose of the environmental impact guidance is to provide guidance and supporting material to enable departments to understand and quantify, where possible in monetary terms, the wider environmental consequences of their proposals. [Environmental Impact Assessment Guidance]		 No
Sustainable Development Impacts
Guidance for policy officials to enable government departments to identify key sustainable development impacts of their policy options. This test includes the Environmental Impact test cited above. [Sustainable Development Impact Test]		 No
Rural Proofing
Guidance for policy officials to ensure that the needs of rural people, communities and businesses are properly considered. [Rural Proofing Guidance]		 No

  1. UN Human Rights Council 47: UK statement for the response to the Report of the Special Rapporteur on the Right to Privacy

  2. Home Office report on the operation of the Investigatory Powers Act (2016), 2023

  3. Lord David Anderson, Independent review of the Investigatory Powers Act 2016, 2023

  4. Home Office Outcome Delivery Plan 2021-2022 GOV.UK

  5. Integrated Review Refresh 2023; p.8

  6. Integrated Review Refresh 2023; p.59. 

  7. Home Office report on the operation of the Investigatory Powers Act (2016), 2023

  8. Independent Review of the Investigatory Powers Act 2016; David Anderson (Lord Anderson of Ipswich KBE KC) p. 85. 

  9. Home Office report on the operation of the Investigatory Powers Act 2016

  10. Consultation on revised notices regimes in the Investigatory Powers Act 2016; Revised Investigatory Powers Act notices regimes consultation 2

  11. Home Office Report on the Operation of the Investigatory Powers Act 2016

  12. Freedom of Information Act 2000

  13. Investigatory Powers Act 2016. 

  14. Free Speed Reading Test: How fast do you read?

  15. Survey Report

  16. Survey Report

  17. Understanding organised crime 2015/16: estimating the scale and the social and economic costs (Research Report 103), adjusted for 2022 prices

  18. The economic and social cost of contact child sexual abuse, adjusted for 2022 prices

  19. Survey Report, 2019. Survey of 1,699 individuals

  20. Survey Report, 2013. Survey of 1,886 individuals

  21. Independent Review of the Investigatory Powers Act 2016, GCHQ Case Studies (Bulk Personal Datasets), Lord Anderson - Independent review of the IPA 2016. 

  22. Home Office report on the operation of the Investigatory Powers Act (2016), 2023

  23. A Question of Trust – Report of the Investigatory Powers Review

  24. UK business: activity, size and location - Office for National Statistics

  25. Apple slams UK surveillance-bill proposals - BBC News

Back to top